This module supports the use of password-based cryptography for encryption and message authentication using key derivation functions. This module is based on recommendations in PKCS #5 v2.0: Password-Based Crypotgraphy, RSA Laboratories, March 25, 1999. The recommendations are available from http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/index.html.
WARNING: It is not very practical to use Python for generating keys from passphrases; it is merely convenient. The key derivation process should take a long time, to thwart an attacker who attempts a dictionary attack on the password. But it can't take so long that the user grows impatient waiting for the key to be generated. The attacker could implement her brute force search in optimized C, which would be much faster than this Python implementation. Thus, this module provides much less security-for-the-wait that an optimized C version would.
Labels are an optional feature. The labels argument accepts a sequence of strings. If several keys with the same generation parameters are going to be created, the salt should contain some text that identifies the particular use of the key. These are the labels. When createKey is called, it will check to see if the label used is valid.
The design of this class is explained carefully in the PKCS #5 document. The implementation uses HMAC plus a hash function as its pseudorandom function. The default hash is SHA.